Database Develop

SafetyNet CTS profile match false

This thread is dedicated to understanding what is causing the SafetyNet to report the CTS profile match as false.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
I tried unrooting and flashing a new kernel, but the error remains.
Anyone knows what does it check?
@Tesla
@xstahsie

What I can tell you, Busybox is not the problem in my case. Fully unrooted und un-busyboxed my Note3 (see sig) by modding the ROM I use pre-flash, wiped /system and put it on there with TWRP. Nope. I am close to think that there's some thing custom ROMs pass to Google by SafetyNet and are being detected as not official by that. The fingerprint (In my case "samsung/hero2ltexx/hero2lte:6.0.1/MMB29K/G935FXXU1APEK:user/release-keys") compared to H/W maybe...

I have the same problem with a unroot cyanogenmod 13. Pokemon Go die.

sakis_the_fraud said:
This thread is dedicated to understanding what is causing the SafetyNet to report the CTS profile match as false.
View attachment 3902690
I tried unrooting and flashing a new kernel, but the error remains.
Anyone knows what does it check?
@Tesla
@xstahsie
Click to expand...
Click to collapse
Assuming you have made a NANDROID backup via TWRP when the phone was unrooted, simply restore "boot" from your backup. If you don't have a copy, you'll need to reflash your ROM. And if you have to do that, just flash boot and system.
Sent from my Nexus 6P using Tapatalk

I'm on the same boat as you guys. Exact same error, CM13 with su removed, nothing else modified. No idea why CTS is now false.

xstahsie said:
Assuming you have made a NANDROID backup via TWRP when the phone was unrooted, simply restore "boot" from your backup. If you don't have a copy, you'll need to reflash your ROM. And if you have to do that, just flash boot and system.
Sent from my Nexus 6P using Tapatalk
Click to expand...
Click to collapse
Phone was rooted on second boot.
I will try to flash a stock kernel when i return home, but i don't expect much.
Flashing stock system is definitely not an option, do you think dirtyflash will work?
Sent from my Xperia Z5 using Tapatalk

sakis_the_fraud said:
Phone was rooted on second boot.
I will try to flash a stock kernel when i return home, but i don't expect much.
Flashing stock system is definitely not an option, do you think dirtyflash will work?
Sent from my Xperia Z5 using Tapatalk
Click to expand...
Click to collapse
I've dirty flash system on LG G3 many times without any issues. Just wipe cache afterward.
Sent from my Nexus 6P using Tapatalk

@AbiDez , @Boosik , @asdone001 check here, we all have the same problem!
anyone here tried switching SELinux mode as phhuson suggested?
phhusson said:
For people for which SafetyNet fails, is /sys/fs/selinux/enforce or policy readable by an application?
On standard Android it's not readable, but perhaps that's the difference on your devices.
Click to expand...
Click to collapse
here is a guide:
koron393 said:
Code:
$ getenforce
This prints SELinux mode. (Permissive or Enforcing)
Code:
$ su
# setenforce 1
This will set SELinux mode Enforcing.
or try
Code:
# setenforce Enforcing
Click to expand...
Click to collapse
my kernel is set to permissive and I can't switch it, i will try to flash stock and report back.

sakis_the_fraud said:
@AbiDez , @Boosik , @asdone001 check here, we all have the same problem!
anyone here tried switching SELinux mode as phhuson suggested?
my kernel is set to permissive and I can't switch it, i will try to flash stock and report back.
Click to expand...
Click to collapse
Already tried it, but not with those commands. I switched from an unofficial CM13 ROM with SElinux set to permissive to an official CM13 nightly with SElinux set to enforcing. I removed root and bam, Safety Net check passes all checks now.

@sakis_the_fraud
My kernel is
.
On pure stock rom with stock recovery without root - SafetyNet is all green, PoGo works.
On stock rom with TWRP without root - SafetyNet is all green, PoGo works.
On stock rom with TWRP and superuser-r266-hidesu - SafetyNet is red (CTS profile match: false), PoGo doesn't work.
My superuser-r266-hidesu config is "eng noverity crypt hidesu".
But as phh asked "/sys/fs/selinux/enforce" is readable on my device, I can open it in SE File Explorer (contains 1). "/sys/fs/selinux/policy" gives me access denied.
---------- Post added at 01:38 PM ---------- Previous post was at 12:39 PM ----------
Fixed it by setting my superuser-r266-hidesu to verity (was using noverity to be able to mount /system as rw).

Boosik said:
My superuser-r266-hidesu config is "eng noverity crypt hidesu".
Fixed it by setting my superuser-r266-hidesu to verity (was using noverity to be able to mount /system as rw).
Click to expand...
Click to collapse
great info, we are getting somewhere. :good:
could you tell me how to change this setting?
Also, you could try with "noverity setting" to use the "root switch" from shakalaca.
You can find the latest version here at post no: 263.

sakis_the_fraud said:
great info, we are getting somewhere. :good:
could you tell me how to change this setting?
Also, you could try with "noverity setting" to use the "root switch" from shakalaca.
You can find the latest version here at post no: 263.
Click to expand...
Click to collapse
Open the superuser-r266-hidesu.zip archive and there is config.txt file. Open it and there are some words "eng verity crypt hidesu" I had it set to "noverity" it has to be "verity". Also root switch app doesn't seem to work with phh's superuser.

Boosik said:
Open the superuser-r266-hidesu.zip archive and there is config.txt file. Open it and there are some words "eng verity crypt hidesu" I had it set to "noverity" it has to be "verity". Also root switch app doesn't seem to work with phh's superuser.
Click to expand...
Click to collapse
thanks!
I see that the default option is verity, but it isn't passing the CTS profile match for me.
have you tried with chainfire's root and hidesu, maybe got some luck with that!

sakis_the_fraud said:
thanks!
I see that the default option is verity, but it isn't passing the CTS profile match for me.
have you tried with chainfire's root and hidesu, maybe got some luck with that!
Click to expand...
Click to collapse
Unfortunately chainfires su 2.78-SR1 has huge performance hit on my phone for some reason and makes it nearly unusable, so that is no option for me.
---------- Post added at 02:29 PM ---------- Previous post was at 02:27 PM ----------
Are you using Magisk?
I do not use it.
I have stock rom and flashed superuser-r266-hidesu.zip nothing else. Everything works fine now.

Boosik said:
Unfortunately chainfires su 2.78-SR1 has huge performance hit on my phone for some reason and makes it nearly unusable, so that is no option for me.
Click to expand...
Click to collapse
i haven't tried it yet, reading about systemless install and the rest procedure.
what device are you using?
Boosik said:
Are you using Magisk?
I do not use it.
I have stock rom and flashed superuser-r266-hidesu.zip nothing else. Everything works fine now.
Click to expand...
Click to collapse
no.
here are the setups I have tried

sakis_the_fraud said:
i haven't tried it yet, reading about systemless install and the rest procedure.
what device are you using?
no.
here are the setups I have tried
View attachment 3903539
Click to expand...
Click to collapse
My device is Huawei Mate 8 (NXT-L29C432)
AFAIK "dm verity" has to be on for CTS to pass.
---------- Post added at 02:39 PM ---------- Previous post was at 02:35 PM ----------
Is your current phone Sony Z5?
On the Magisk page, there is something about Sony kernels being unpatchable, maybe that is the problem why your phone does not boot while trying it with dm verity on?
Sony devices generally: Sony devices seems to use ELF kernel that is unpatchable, or some has two ramdisks (inner + outer), both requires different workarounds, if you know any addition quirks about Sony boot image modifications, please contact me
Click to expand...
Click to collapse

Boosik said:
AFAIK "dm verity" has to be on for CTS to pass.
Click to expand...
Click to collapse
If yes, I'm screwed! I have no clue why it doesn't boot with that on!
Boosik said:
Is your current phone Sony Z5?
On the Magisk page, there is something about Sony kernels being unpatchable, maybe that is the problem why your phone does not boot while trying it with dm verity on?
Click to expand...
Click to collapse
yes, but there is a tool that can patch the kernel and edit those kind of things such as dm verity, sony ric, root, twrp etc.
also, magisk was working fine on my phone, i was using it before turning to phh's v266.

What does it mean if its says this and my phone is still vanilla.as in never been rooted or used thirdparty apps or that sort of stuff
Sent from my Elite 5 using Tapatalk

javaxcore said:
What does it mean if its says this and my phone is still vanilla.as in never been rooted or used thirdparty apps or that sort of stuff
Click to expand...
Click to collapse
something is tipping cts, we are searching to find it.

@Jayster06 check here
Something is tripping CTS, if it was on /system, why it isn't reported with stock kernel?
If you are rooted, the checker reports that the response validation failed, so it's not the root.
here are the configurations I have tried so far...
please report back if you found a solution.

Bootloop after installing Xposed via Magisk

I've got the Google Fi variant of the Moto X4 (XT1900-1). It's running stock build OPW28.46-18 (Android 8.1). TWRP 3.2.1-1. I was able to install the latest Magisk no problem and I have working root access. My issue arises when I try to install the Magisk variant of Xposed Framework. When I do this and reboot, the phone seemingly gets caught in a bootloop. I've let it sit for 15-20 minutes to see if it would recover and it does not. To exit the loop, I reboot to fastboot then to TWRP and flash a ZIP that allows me to uninstall Magisk modules right from TWRP. Reboot and phone works fine.
I've tried both versions of the Xposed Framework in the Magisk downloads section (the smart version that automatically chooses the proper framework, and the explicit SDK 27 version), as well as downloaded the ZIP and tried to install it from TWRP. Similar result in all cases. I have only tried the "systemless" Xposed that works with Magisk thus far.
Has anyone else run into and dealt with this issue, or have any suggestions? I'd really like to get Xposed working so I can get XPrivacyLua going and switch over to using this phone as my daily driver.

how are you flashing Xposed? from Recovery or magisk?

abhi212b said:
how are you flashing Xposed? from Recovery or magisk?
Click to expand...
Click to collapse
I've tried both: installing via Magisk Manager as well as flashing zip in TWRP (xposed-v90.2-sdk27-beta3-topjohnwu.zip). Similar results in both cases.

I didn't think there was a version of xposed compatible with Oreo yet but I could be wrong. This would be a better question in Xposed Section of XDA.

Neffy27 said:
I didn't think there was a version of xposed compatible with Oreo yet but I could be wrong. This would be a better question in Xposed Section of XDA.
Click to expand...
Click to collapse
There's been a beta version for Oreo 8.0/8.1 since maybe January (t's on beta version 3 now I think). I'd tried it on my OnePlus 3 with success. I thought maybe it was a Moto X4 issue and I might as well check here first to see if anyone else with this phone had already run into this and fixed it. I'll go ahead and ask the question in the Xposed section of the forum. Thanks!

Seems the OP of this thread has Xposed working: https://forum.xda-developers.com/moto-x4/help/oreo-magisk-xposed-modules-reboot-t3745612 - Maybe they could help.

Even i had working xposed!
But did not face bootloops!
The way i do it is!
I flash it when i am flashing gapps!
So...flash rom... Flash twrp... Reboot recovery.. . Flash gapps! Flash magisk... Flash xposed...boot to system!

abhi212b said:
Even i had working xposed!
But did not face bootloops!
The way i do it is!
I flash it when i am flashing gapps!
So...flash rom... Flash twrp... Reboot recovery.. . Flash gapps! Flash magisk... Flash xposed...boot to system!
Click to expand...
Click to collapse
Thanks for posting that

abhi212b said:
Even i had working xposed!
But did not face bootloops!
The way i do it is!
I flash it when i am flashing gapps!
So...flash rom... Flash twrp... Reboot recovery.. . Flash gapps! Flash magisk... Flash xposed...boot to system!
Click to expand...
Click to collapse
Thanks for the info! Perhaps it's an incompatibility with the stock ROM then, as that's what I'm using. I haven't flashed a different ROM nor GApps on this phone yet (mostly out of fear of not being able to go back to stock with seemingly no official factory images floating around).

I got bootloops too with Magisk and systemless Xposed. I had pattern password set, so I couldn't get TWRP full access to the data to remove Xposed, so I had to delete all my data.
From what I read, Magisk and systemless xposed will not pass SafetyNet so Android pay won't work.

dcdruck1117 said:
Thanks for the info! Perhaps it's an incompatibility with the stock ROM then, as that's what I'm using. I haven't flashed a different ROM nor GApps on this phone yet (mostly out of fear of not being able to go back to stock with seemingly no official factory images floating around).
Click to expand...
Click to collapse
No.. The stock rom is compatible! I simply flashed magisk and then xposed v90... The latest ones! Yeah safety net is broken! But there is a workaround! It is disable the xposed module from magisk and reboot.. Nd then you can use android pay... Once you are done! Activate the module.. And reboot!

solara1973 said:
I got bootloops too with Magisk and systemless Xposed. I had pattern password set, so I couldn't get TWRP full access to the data to remove Xposed, so I had to delete all my data.
From what I read, Magisk and systemless xposed will not pass SafetyNet so Android pay won't work.
Click to expand...
Click to collapse
Thanks for the info. You're correct about SafetyNet and Android Pay; I gave up on Android Pay years ago for that reason, because Xposed is too important to me to give it up. Perhaps I'll try starting from scratch again with this phone. I'm hesitant to flash ROMs on this phone, stock or otherwise, because of the scarcity of factory images available should something go terribly wrong..
abhi212b said:
No.. The stock rom is compatible! I simply flashed magisk and then xposed v90... The latest ones! Yeah safety net is broken! But there is a workaround! It is disable the xposed module from magisk and reboot.. Nd then you can use android pay... Once you are done! Activate the module.. And reboot!
Click to expand...
Click to collapse
Thank you. I think I'll try to start over and see if I can get it to work. Or maybe I will try using the regular version of Xposed (not the Magisk version).
If you know of a repository of factory images for the Android One version, that would be helpful. I'm finding some images for the retail version but not much love for the A1 version.
Edit: I just found this post which seems like it may contain what I'm looking for, "Latest Project Fi Firmware (Android 8.1)": https://forum.xda-developers.com/moto-x4/how-to/guide-how-to-flash-official-factory-t3808348

I flashed back to stock using the files from the link in my previous post. The weird thing there is that SafetyNet fails immediately now, clearly some side effect of flashing back the stock images. Anyway, I again installed TWRP, then Magisk, then Xposed, and again ran into the same boot loop. I don't know what else to try other than to wait for maybe a new Xposed beta, or maybe try an even older Oreo build on this phone and see how that works.
I've run Xposed (and more recently, Magisk+Xposed) on every Android device I've owned since Xposed has been in existence, and this is the first phone to ever give me trouble.

abhi212b said:
Even i had working xposed!
But did not face bootloops!
The way i do it is!
I flash it when i am flashing gapps!
So...flash rom... Flash twrp... Reboot recovery.. . Flash gapps! Flash magisk... Flash xposed...boot to system!
Click to expand...
Click to collapse
Which Stock ROM version are you using? Xposed worked for me in Oreo 8.0, but has not worked since upgrading to 8.1. I get the same bootloop issue on OPW28.2.

AvenidaDelGato said:
Which Stock ROM version are you using? Xposed worked for me in Oreo 8.0, but has not worked since upgrading to 8.1. I get the same bootloop issue on OPW28.2.
Click to expand...
Click to collapse
Thank you, that's good to know because I'm also on 8.1, so it sounds plausible that it's not just me, but a larger compatibility issue between Xposed and 8.1. on this phone.

Just an update, I ended up flashing a factory 8.0 ROM via fastboot and, while it still fails SafetyNet (CTS Profile Mismatch) for some reason, I was able to get Xposed running and finally start using the phone as my primary device. So it is likely to be an 8.1 compatibility issue on this device that was giving me trouble before. Now hopefully I can find a version to flash that will pass SafetyNet, but until then, this will suffice. Thanks for everyone's help!

dcdruck1117 said:
Just an update, I ended up flashing a factory 8.0 ROM via fastboot and, while it still fails SafetyNet (CTS Profile Mismatch) for some reason, I was able to get Xposed running and finally start using the phone as my primary device. So it is likely to be an 8.1 compatibility issue on this device that was giving me trouble before. Now hopefully I can find a version to flash that will pass SafetyNet, but until then, this will suffice. Thanks for everyone's help!
Click to expand...
Click to collapse
I've been putting off unlocking bootloader due to my recent concerns with these ota patches being released.
If safetynet fails, what can you not use besides Pay? It's to my understanding safetynet is now being incorporated to several applications and failing, will result in a sometimes inoperable app altogether?

dcdruck1117 said:
I've tried both: installing via Magisk Manager as well as flashing zip in TWRP (xposed-v90.2-sdk27-beta3-topjohnwu.zip). Similar results in both cases.
Click to expand...
Click to collapse
Use EdXposed, works for me, and pass Safetynet
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

Blind app is detecting root with Magisk Hide

I've got an app I'd like to use that somehow keeps detecting root. It's called Blind (https://play.google.com/store/apps/details?id=com.teamblind.blind)
I've also got Pokemon Go installed, but that works just fine. Not problems with Magisk Hide.
I'm ready and willing to provide logs and such, just not sure where I should start.
Thanks!

https://www.didgeridoohan.com/magisk/MagiskHideHidingRoot

mew1033 said:
I've got an app I'd like to use that somehow keeps detecting root. It's called Blind (https://play.google.com/store/apps/details?id=com.teamblind.blind)
I've also got Pokemon Go installed, but that works just fine. Not problems with Magisk Hide.
I'm ready and willing to provide logs and such, just not sure where I should start.
Thanks!
Click to expand...
Click to collapse
Did you ever figure it out?

Just. Tried too. For test lol.
Didn't work for me.
I'm having issue with spay for gear 3.
If you can figure it out and maybe we can also both our issues

It suddenly started working for me today...

I was having this issue too. I eventually got so frustrated, I unrooted my device, relocked the bootloader, and did a factory reset. Still thinks I'm rooted, even though I'm completely factory. I think they get some unique device identifier and block your device server-side
If anyone figures it out, please let me know.
A bit of an annoying workaround: if you can make a comment with a different phone, and you get a notification telling you someone replied, you can open the app by tapping on the notification. However, it won't work if you open it by tapping on the icon

Any update?
Tried a whole bunch of things to hide Magisk. Blind just doesn't work.

Works!
Looks like Blind is detecting if your bootloader is unlocked. I installed this Magisk module called "SafetyPatch", which prevents apps from detecting if your bootloader is unlocked. That fixed it for me!

Darn, tried installing SafetyPatch, but still no luck
I suspect my phone has been blacklisted or something

I had checked logcat and it seems that blind was using com.liapp.lockincomp to detect root and display the alert. after hiding magisk manager and using magisk hide on blind it still didn't work even after clearing data/reinstalling the app. after a few days it magically started working again. guess they blacklist devices for x amount of time after they detect root.

I had Blind 2.5 and Magisk 17 working together. About two weeks ago I updated both and it stopped working. Anyone using Blind 2.6 with Magisk 18? I think my device got banned - downgrading Blind to 2.5 didn't help.

{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Seeing the issue on Blind 2.6.4 with Magisk Hide Enabled. Any other suggestions on a workaround?

Waited one week, installed Blind 2.5 from a backup and it works fine with Magisk 18.

babelus said:
Waited one week, installed Blind 2.5 from a backup and it works fine with Magisk 18.
Click to expand...
Click to collapse
So you uninstalled it & re-installed it after a week?
When you say backup, do you mean an APK that you had backed or a backup taken from TiBackup?

1nv1n said:
So you uninstalled it & re-installed it after a week?
When you say backup, do you mean an APK that you had backed or a backup taken from TiBackup?
Click to expand...
Click to collapse
Correct, uninstall Blind, wait a week, reinstall from backup of APK (TitaniumBackup). I can share the APK, but you shouldn't trust me.

I uninstalled Blind. Uninstalled Xposed. Made sure Magisk was able to pass all SafetyNet checks. Re-installed Blind from the Play Store. Used Magisk to hide it & was able to launch it without issues.

1nv1n said:
I uninstalled Blind. Uninstalled Xposed. Made sure Magisk was able to pass all SafetyNet checks. Re-installed Blind from the Play Store. Used Magisk to hide it & was able to launch it without issues.
Click to expand...
Click to collapse
Thanks for sharing, this worked for me
(Rooted stock Moto Z2 Force with Oreo)

Looks like it's broken again? I tried following the same process; but even after being hidden through Manager, it's still able to detect either root or bootloader unlock.
Anyone got any ideas?

1nv1n said:
Looks like it's broken again? I tried following the same process; but even after being hidden through Manager, it's still able to detect either root or bootloader unlock.
Anyone got any ideas?
Click to expand...
Click to collapse
I can confirm my workaround using the old version of Blind stopped working. New version works for a day or two after installation, then it detects root and I have to uninstall and wait for the ban to expire.

How many days does the ban last for?

Csprofile false still not getting resolved!

Phone: Redmi Note 7 Pro (Violet)
Bootloader: Unlocked
Issues: Magisk ctsprofile false
Troubleshooting:
I'm caught up in a very weird tough situation.
All was going good until I installed edxposed and gravitybox and some modules and since then Magisk kept returning ctsprofile false.
So I flashed stock MI rom using MIFlash tool and also re-locked BL.
So at this time the phone is just like a factory one..no magisk/xposed etc.
Then UL Bootloader and re-flashed twrp and same rom.
This time it should had worked but again Magisk kept returning ctsprofile false.
This is so frustrating.
I tried other roms as well like pixel exp. without any xposed crapp etc. but all showing ctsprofile false.
Tried updating magisk to latest and even downgrading but to no vail.
I even tried MagiskHidePropsConf-v4.0.3 but it didnt worked.
Tried magisk hide but no luck.
All safetynet check apps fail test.
Tried SafetyPatch-v3 and it worked but keep giving very annoying error on system boot about some huawei thing and have to ok everytime.
Any valuable suggestions to fix this for good??

If Safetypatch works, then MagiskHide Props Config should work as well. Did you set up a certified fingerprint after having installed the module? It's not a flash-and-forget module, it takes a bit of setup as well.
Safetypatch uses the same method, but doesn't let you pick a fingerprint, which is why you might get the error you're seeing. If you really want to use Safetypatch, you can get around that by editing the module boot script and replace the default fingerprint with one of your own, and also enabling editing of the vendor fingerprint (that's disabled by default in that module).
More info on SafetyNet, with tips and tricks can be found here:
https://didgeridoohan.com/magisk/MagiskHide#hn_SafetyNet

Didgeridoohan said:
editing the module boot script and replace the default fingerprint with one of your own, and also enabling editing of the vendor fingerprint (that's disabled by default in that module).
Click to expand...
Click to collapse
Hey thanks for the reply.
Can you please post a noob guide as to where to/how to find or define my own fingerprint and also edit vendor fingerprint?
Also, as I described, initially all was good but after xposed all screwed up. Even stock miui rom and then unlocking of BL isn't helping.
May I know the actual reason behind it as why reflashing different roms even after starting from scratch isnt helping to CSprofile True.

Those ROMs likely don't have a certified device fingerprint. It's also possible that Google tightened up something about that recently, so that fingerprints that did work without a correspond safety patch date now don't. That's pure guesswork on my part though, don't take it as fact.
The noob way of doing it would be to use MagiskHide Props Config and pick a fingerprint from the included list. Unfortunately I don't have a violet print in there at the moment... Luckily you can use whatever print that is certified, but if you really want a print from your device you can take a look a little further down in the docs for instructions.
If you find a matching print, you can use it in the module (by entering it manually), but also submit it in the module thread for me to include it in the list. Of course, you could also use it with Safetypatch by editing the module files found in /data/adb/modules/safetypatch (just replace the Huawei print with yours).

Didgeridoohan said:
Those ROMs likely don't have a certified device fingerprint. It's also possible that Google tightened up something about that recently, so that fingerprints that did work without a correspond safety patch date now don't. That's pure guesswork on my part though, don't take it as fact.
The noob way of doing it would be to use MagiskHide Props Config and pick a fingerprint from the included list. Unfortunately I don't have a violet print in there at the moment... Luckily you can use whatever print that is certified, but if you really want a print from your device you can take a look a little further down in the docs for instructions.
If you find a matching print, you can use it in the module (by entering it manually), but also submit it in the module thread for me to include it in the list. Of course, you could also use it with Safetypatch by editing the module files found in /data/adb/modules/safetypatch (just replace the Huawei print with yours).
Click to expand...
Click to collapse
Just wanna know what if I reflash stock miui rom and just extract its fingerprint from build.prop and after flashing back Havoc rom and rooting, use this original fingerprint with SafetyPatch-v3.zip, will this work?
And currently most of the suers have already flashed SafetyPatch-v3.zip which uses huawei fingerprint, will it be possible google might blacklist/block that as well?

nri_tech1183 said:
Just wanna know what if I reflash stock miui rom and just extract its fingerprint from build.prop and after flashing back Havoc rom and rooting, use this original fingerprint with SafetyPatch-v3.zip, will this work?
Click to expand...
Click to collapse
As long as that ROM is CTS certified it should work just fine.
And currently most of the suers have already flashed SafetyPatch-v3.zip which uses huawei fingerprint, will it be possible google might blacklist/block that as well?
Click to expand...
Click to collapse
Possible but very unlikely.

Nice.
So I finally found 3 fingerprints from stock redmi violet from earlier updates.
10.3.5.0
10.3.7.0
10.3.13.0
What now I plan is to edit post-fs-data.sh file in SafetyPatch-v3.zip to replace the Huawei fingerprints with redmi ones.
But before that how to remove existing SafetyPatch-v3?
Shall I reflash it from recovery to get uninstalled or simply delete from magisk module list to reset it so I can then flash the edited SafetyPatch created properly from twrp?
And most importantly, after flashing redmi fingerprint will the CTSprofile return True value or is it a hit or miss?
And will I still get this similar alert later on as well? Actually want to get rid of this alert on every boot.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Do we need to edit vendor.img for this??

You don't have to remove anything... Just edit the file as it is in the module directory under /data/adb/modules and reboot.
To get rid of the warning message, just make sure to also remove the # in front of the vendor prop (and replace all the fingerprints with your own).
It is not certain that the prints will work for you, since you might also need the security patch date from the release you're using. Or the prints aren't actually certified. Only way to know is to test.
Would you mind posting the prints (and security patch date) so I can test them and add to the list included in MagiskHide Props Config?

Didgeridoohan said:
You don't have to remove anything... Just edit the file as it is in the module directory under /data/adb/modules and reboot.
Click to expand...
Click to collapse
Do I need to do it from the twrp terminal, adb, or simply can be done from the OS itself using some file explorer?
Didgeridoohan said:
To get rid of the warning message, just make sure to also remove the # in front of the vendor prop (and replace all the fingerprints with your own).
Click to expand...
Click to collapse
You mean that inside SafetyPatch-v3, edit "post-fs-data" file
and remove "#" resetprop ro.vendor.build.fingerprint 'HUAWEI/CLT-L29/HWCLT:8.1.0/HUAWEICLT-L29/128(C432):user/release-keys' right?
I hope it wont result into any bootloop.
Or is there any other seperate vendor.prop file (which I didnt found in roms nor in my phone).
Didgeridoohan said:
It is not certain that the prints will work for you, since you might also need the security patch date from the release you're using. Or the prints aren't actually certified. Only way to know is to test..
Click to expand...
Click to collapse
True, we need to keep experimenting but I wonder how come some other devices fingerprints helps us to pass ctsprofile safetynet test?
For latest devices can we use old devices fprints like redmi note 3 or nexus or pixel? I think pixel will be too good as its google device and spoof free!
Didgeridoohan said:
Would you mind posting the prints (and security patch date) so I can test them and add to the list included in MagiskHide Props Config?
Click to expand...
Click to collapse
Surely mate I will message you all of them. I found those fprints in prop.default file so will share the file contents with you.

nri_tech1183 said:
Do I need to do it from the twrp terminal, adb, or simply can be done from the OS itself using some file explorer?
Click to expand...
Click to collapse
From OS works fine. That file is only run during boot.
You mean that inside SafetyPatch-v3, edit "post-fs-data" file
and remove "#" resetprop ro.vendor.build.fingerprint 'HUAWEI/CLT-L29/HWCLT:8.1.0/HUAWEICLT-L29/128(C432):user/release-keys' right?
Click to expand...
Click to collapse
That's exactly it.
True, we need to keep experimenting but I wonder how come some other devices fingerprints helps us to pass ctsprofile safetynet test?
For latest devices can we use old devices fprints like redmi note 3 or nexus or pixel? I think pixel will be too good as its google device and spoof free!
Click to expand...
Click to collapse
Some print are certified by Google, others are not. And old (before March 2018) certified prints don't need the safety patch date to match. Everything about SafetyNet is pretty thoroughly explained in the links I've posted here previously, so I suggest you also take a look there.

Didgeridoohan said:
From OS works fine. That file is only run during boot.
That's exactly it.
Some print are certified by Google, others are not. And old (before March 2018) certified prints don't need the safety patch date to match. Everything about SafetyNet is pretty thoroughly explained in the links I've posted here previously, so I suggest you also take a look there.
Click to expand...
Click to collapse
Hey I succeeded in removing the Huawei warning error prompt.
In your file "post-fs-data.sh"
you stated:
resetprop ro.vendor.build.fingerprint 'HUAWEI/CLT-L29/HWCLT:8.1.0/HUAWEICLT-L29/128(C432):user/release-keys'
#The above caused issues (critical services not starting) on my Honor
What do you meant by #The above caused issues (critical services not starting) on my Honor
What all services failed to or were not running in your Honor?
I didnt find anything unusual on my phone, but would still like to verify if any critical services arent running.
How to check them out?

That's not my statement... I'm the creator of MagiskHide Props Config, not Safetypatch. I don't know what he was referring to.

Didgeridoohan said:
That's not my statement... I'm the creator of MagiskHide Props Config, not Safetypatch. I don't know what he was referring to.
Click to expand...
Click to collapse
How to share redmi note 7 pro stock fingerprints with you? Shall I pm you?

nri_tech1183 said:
How to share redmi note 7 pro stock fingerprints with you? Shall I pm you?
Click to expand...
Click to collapse
That works. Thank you.

Didgeridoohan said:
That works. Thank you.
Click to expand...
Click to collapse
Have sent you fingerprints.
Also wanna ask, now that I'm using huawei fingerprint with SafetyPatch-v3 and ctsprofile is reporting true, can I still install edxposed and yet retain ctsprofile values to true?

nri_tech1183 said:
Have sent you fingerprints.
Also wanna ask, now that I'm using huawei fingerprint with SafetyPatch-v3 and ctsprofile is reporting true, can I still install edxposed and yet retain ctsprofile values to true?
Click to expand...
Click to collapse
Thank you. Received.
As far as I know (I don't use EdXposed) Google can't detect (or doesn't yet look for) EdXposed so you should be good to go.

Didgeridoohan said:
Thank you. Received.
As far as I know (I don't use EdXposed) Google can't detect (or doesn't yet look for) EdXposed so you should be good to go.
Click to expand...
Click to collapse
Asking as installing exposed kills the cts thing and makes it false.
In short if you installed Xposed then there is no possible way to pass safety net.
If you can research and do let me know it will be great as I really need some exposed modules to run which aren't yet available in magisk modules.

nri_tech1183 said:
Asking as installing exposed kills the cts thing and makes it false.
In short if you installed Xposed then there is no possible way to pass safety net.
If you can research and do let me know it will be great as I really need some exposed modules to run which aren't yet available in magisk modules.
Click to expand...
Click to collapse
You're talking about different things now...
It's true that Xposed will trigger SafetyNet, no matter what, but from what I've seen EdXposed doesn't (although I might not be up-to-date on that).
Note the difference in names. They're very similar, but work slightly different.

nri_tech1183 said:
Have sent you fingerprints.
Also wanna ask, now that I'm using huawei fingerprint with SafetyPatch-v3 and ctsprofile is reporting true, can I still install edxposed and yet retain ctsprofile values to true?
Click to expand...
Click to collapse
Didgeridoohan said:
Thank you. Received.
As far as I know (I don't use EdXposed) Google can't detect (or doesn't yet look for) EdXposed so you should be good to go.
Click to expand...
Click to collapse
@nri_tech1183 / @Didgeridoohan can you pls send me too the device fingerprints for violet?
I am using xiaomi.eu ROM on my Redmi Note 7 Pro (violet) and recently updated to xiaomi.eu MIUI 11 and Playstore is not ceritifed. It seems xiaomi.eu has been using lavender fingerprints which is not the best case. And also works on & off.
PS: Happy to test out if required.

Didgeridoohan said:
You're talking about different things now...
It's true that Xposed will trigger SafetyNet, no matter what, but from what I've seen EdXposed doesn't (although I might not be up-to-date on that).
Note the difference in names. They're very similar, but work slightly different.
Click to expand...
Click to collapse
Now that all is working good I wanna risk running Edxposed on my phone.
Just let me know what all backups do I need to take inside TWRP before flashing Edxposed so that if safetynet check fails later I can restore my phone toe earlier state.

Question Can i use google pay on an unrooted unlcoked device?

Hello there,
I bought a 10 pro that has the bootloader unlocked, i think (it has the orange state message when booting up the phone)
I checked root status.. it says not rooted.
1. Is there a way i can make google pay work without rooting the device?
2. If i need to root the device will i still be able to get OTG updates?
3. Do i need to flash a new rom even if i`m rooted or can i use the original one to make google pay work.
4. I've read about ppl that updated to oxygen 13 and had their bootloader unlocked although they did not want to...
Thank you

1. Is there a way i can make google pay work without rooting the device?
no
2. If i need to root the device will i still be able to get OTG updates?
yes
3. Do i need to flash a new rom even if i`m rooted or can i use the original one to make google pay work.
need to install safetynetfix
4. I've read about ppl that updated to oxygen 13 and had their bootloader unlocked although they did not want to...
not possible. unlocking and locking wipes the phone.

@qiuness just root mate. It can be completely hidden, zero drawbacks from my perspective, flash the Google photos mod I uploaded, add the modded safety net fix (attached) and you're all good.
Everything works for me as expected.

dladz said:
@qiuness just root mate. It can be completely hidden, zero drawbacks from my perspective, flash the Google photos mod I uploaded, add the modded safety net fix (attached) and you're all good.
Everything works for me as expected.
Click to expand...
Click to collapse
OTA updates won't work anymore.. Once rooted I have to constantly flash roms

qiuness said:
OTA updates won't work anymore.. Once rooted I have to constantly flash roms
Click to expand...
Click to collapse
Ota updates will work fine after rooting. You just open Magisk and restore images, update, then don't reboot and select install magisk ota then reboot. Follow the sticky in the forum.

qiuness said:
OTA updates won't work anymore.. Once rooted I have to constantly flash roms
Click to expand...
Click to collapse
Nah that's not true buddy, just grab your full zips from oxygen updater, retain root using the local updater APK and magisk OTA install then reboot, I've got a whole thread on it...it's very very easy.

dladz said:
@qiuness just root mate. It can be completely hidden, zero drawbacks from my perspective, flash the Google photos mod I uploaded, add the modded safety net fix (attached) and you're all good.
Everything works for me as expected.
Click to expand...
Click to collapse
I managed to root the device successully, then used magisk / modules tab / and fed the ZIP i downloaded from github. It asked me to reboot, which i did, but the wallet app still denies my card and says it cannot be used on this device.

qiuness said:
Hello there,
I bought a 10 pro that has the bootloader unlocked, i think (it has the orange state message when booting up the phone)
I checked root status.. it says not rooted.
1. Is there a way i can make google pay work without rooting the device?
Click to expand...
Click to collapse
No. See this thread. Unlocking the bootloader disables hardware backed attestation which is used by Play Integrity to verify device state. This means that unless your device is 100% stock with a locked bootloader, you cannot use GPay/Wallet unless you're rooted with Magisk and use specific modules.
qiuness said:
3. Do i need to flash a new rom even if i`m rooted or can i use the original one to make google pay work.
Click to expand...
Click to collapse
See my answer to #1. If you're rooted with Magisk (v24.0 or newer) you can use a Magisk module to pass 2 out of 3 Play Integrity labels, which should be sufficient to get GPay/Wallet working again.
qiuness said:
I managed to root the device successully, then used magisk / modules tab / and fed the ZIP i downloaded from github. It asked me to reboot, which i did, but the wallet app still denies my card and says it cannot be used on this device.
Click to expand...
Click to collapse
Again, see the thread I linked. You need to check Play Integrity. If you're passing the BASIC and DEVICE labels, you probably need to clear data for Play Services, Pay, and Wallet.

qiuness said:
I managed to root the device successully, then used magisk / modules tab / and fed the ZIP i downloaded from github. It asked me to reboot, which i did, but the wallet app still denies my card and says it cannot be used on this device.
Click to expand...
Click to collapse
Just turn on zygisk and use this module.
Releases · Displax/safetynet-fix
Google SafetyNet attestation workarounds for Magisk - Displax/safetynet-fix
github.com
It is a safety net fix but it's been modded by displax and yes it does work, I have two cards on my phone which both work perfectly fine..
There's a wallet thread on the 10 pro forum just look for it, my original post listing this link is hosted there.

It's never as straight forward as you make it out )
after you install safetynet-fix-v2.4.0-MOD_1.2.zip as a module (that's never specified) you will pass a YASNAC test but google play will still say it's uncertified. You have to then delete all data and cache for the google play services app and the google play app. Then reboot. Also you have to confirgure the ignore list in magisk settings to include 2 checkboxes for the google play services app and also check any other banking app that needs to be fooled like revolut (which checks for root).
So i guess i`ll make a how to tomorrow since i was lucky enough to find some indian guys detailing all the steps.
Thank for the info and the support

qiuness said:
It's never as straight forward as you make it out )
after you install safetynet-fix-v2.4.0-MOD_1.2.zip as a module (that's never specified) you will pass a YASNAC test but google play will still say it's uncertified. You have to then delete all data and cache for the google play services app and the google play app. Then reboot. Also you have to confirgure the ignore list in magisk settings to include 2 checkboxes for the google play services app and also check any other banking app that needs to be fooled like revolut (which checks for root).
So i guess i`ll make a how to tomorrow since i was lucky enough to find some indian guys detailing all the steps.
Thank for the info and the support
Click to expand...
Click to collapse
The USNF mod by Displax should disable DenyList on GMS.

qiuness said:
It's never as straight forward as you make it out )
after you install safetynet-fix-v2.4.0-MOD_1.2.zip as a module (that's never specified) you will pass a YASNAC test but google play will still say it's uncertified. You have to then delete all data and cache for the google play services app and the google play app. Then reboot. Also you have to confirgure the ignore list in magisk settings to include 2 checkboxes for the google play services app and also check any other banking app that needs to be fooled like revolut (which checks for root).
So i guess i`ll make a how to tomorrow since i was lucky enough to find some indian guys detailing all the steps.
Thank for the info and the support
Click to expand...
Click to collapse
Then why ask?? And no you're not correct, I didn't wipe anything...I installed the module, rebooted and added my card. End of story.
FYI there are already threads detailing this, you just needed to look...

well maybe it worked for you.. adding cards didnt work after installing the fix out of the box, but worked after editing deny lists and clearing data and cache..
Thank you again for pointing me in the right direction

Use your thanks button buddy.
Also tbh, if you've made it this far and you dont know what a deny list is then if be very surprised.
Those types of things are common knowledge.
What version is working is the bigger question, hence why I mentioned it

Well all good things last 3 days.. My payment worked great, but for some reason today it failed everywhere I tried to use my phone to pay..
Everything looks fine.. So what could it be?
This is the error
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}

@qiuness have you disabled auto updates in Google play store?
My deny list is as attached.
Clear data to all the apps listed on the deny list then retry.

Thanks.. Will I be able to auto update other apps if I include the play store in the deny list?

qiuness said:
Thanks.. Will I be able to auto update other apps if I include the play store in the deny list?
Click to expand...
Click to collapse
Yea you can pick and choose, the deny list doesn't stop updates.
I would just avoid auto updates on all apps, again if it's not broke don't fix it.
I'll decide if I need the updates if and when its available..

Okay i disabled auto update and added what you have in your deny list, deleted data on wallet and play store. let's see how it goes.
Thanks

qiuness said:
Okay i disabled auto update and added what you have in your deny list, deleted data on wallet and play store. let's see how it goes.
Thanks
Click to expand...
Click to collapse
Can't say for anyone else, all I know is that mines working great... Fingers crossed for you bud